Title:
Going with the Flow: Using Network Traffic Data in Incident Response and Analysis

Abstract:

Since the spring of 2005, we have been collecting network flow records at the
Cisco router for the Gates, Packard, and Allen builidings. Our sensor records
TCP, UDP, and ICMP traffic at a rate of 0.5 - 3 million flows per hour,
20-30 million per day, and 500-700 million per month. The live flows
are stored in heavily indexed MySQL tables. These are available to our
network analysts for monitoring, incident handling, and forensics and have
been used in dozens of investigations

We start with a brief review of the collection and database infrastructures
concentrating on what we have learned about tuning for good query response.
Next, we will describe how we have found flow data useful as an aid in
isolating and reconstructing intrusion incidents ranging from the
Windows worms of years past to today's more subtle and criminally
motivated intrusions. The incidents described will include several
in which flows were the critical, and sometimes the only, evidence available.
The talk concludes with a sketch of efforts we are undertaking to automate
some parts of flow analysis and to deal with tables containing a billion
or more events.

Bios:

Doantam Phan is a PhD student in the HCI group at Stanford where he is furiously working towards his defense.

John Gerth is manager of the Graphics Lab and part of the pro bono network security effort
in EE and CS. Prior to coming to Stanford, he spent 17 years at IBM in software development
and later research, but his most challenging job was three years teaching kindergarten.

Identity Based Encryption (IBE) systems are often constructed using bilinear maps (a.k.a. pairings) on elliptic curves. One exception is an elegant system due to Cocks which builds an IBE based on the quadratic residuosity problem modulo an RSA composite N. The Cocks system, however, produces long ciphertexts. Since the introduction of the Cocks system in 2001 it has been an open problem to construct a space-efficient IBE system without pairings. We present a new IBE system in which ciphertext size is short: an encryption of an l-bit message consists of a single element in Z/NZ, plus l + 1 additional bits. Security, as in the Cocks system, relies on the quadratic residuosity problem. The system is based on the theory of ternary quadratic forms and as a result, encryption and decryption are slower than in the Cocks system.

DNS rebinding attacks subvert the same-origin policy of browsers and convert them into open network proxies.
We describe a new type of DNS rebinding attack that exploits the interaction between browsers and their
plug-ins, such as Flash Player and Java. These attacks can be used to circumvent firewalls and are highly
cost-effective for sending spam email and defrauding pay-per-click advertisers. We show that the classic
defense against these attacks, called "DNS pinning," is ineffective in modern browsers.

In April, we discussed DNS rebinding attacks at security lunch. Since then, further variations on the attacks
have been discovered. We conducted an experiment on a live ad network showing that rebinding attacks require
less than $100 to temporarily hijack 100,000 IP addresses. We developed a defense tool, dnswall, to stop DNS
rebinding attacks that circumvent firewalls. We also worked with browser and plug-in vendors to implement DNS
rebinding fixes, with successful deployment of a patch to Java.

We present axioms and inference rules for reasoning about
Diffie-Hellman-based key exchange protocols and use these rules to prove
authentication and secrecy properties of two important protocol
standards, the Diffie-Hellman variant of Kerberos, and IKEv2, the
revised standard key management protocol for IPSEC. The new proof system
is sound for an accepted semantics used in cryptographic studies. In the
process of applying our system, we uncover a deficiency in
Diffie-Hellman Kerberos that is easily repaired.

Martin Casado recently received his PhD from the Stanford computer science department where he served as one
of Professor McKeown's henchmen in the high performance networking group. Martin's primary doctoral research
was focused on designing and implementing secure enterprise network architectures. Prior to enlisting in the
PhD program, Martin hid from the public to do security research at Lawrence Livermore National Laboratory as
part of the information operations and assurance group.

The talk will discuss the current malware landscape, using some data from malware detected by Sana
Security's behavior based malware detection product. It will discuss how the interplay of defensive
technologies (signature based/behavior based) affects this picture. The talk will also cover how
technology changes (vista etc.) might affect the landscape.

Bio:

Matthew Williamson is Principal Scientist at Sana Security, and is responsible for inventing and
integrating new technologies into Sana's product lines. He is a primary inventor of the behavior
based malware detection and removal technology that forms the core of Sana's flagship product,
Primary Response SafeConnect. Prior to joining Sana, he worked at Hewlett-Packard Labs, on a virus
containment technology called Virus Throttling. He was educated at the University of Oxford, and
obtained both his Masters and PhD in Computer Science from the Massachusetts Institute of Technology.

Recent research has established that Dynamic Information Flow Tracking (DIFT) can be used to prevent buffer
overflows on unmodified binaries. We present a hardware DIFT design to prevent both control and data pointer
corruption attacks. Our design is evaluated using an FPGA-based prototype that is a full-fledged Linux SPARC
workstation. We demonstrate that this approach can prevent buffer overflow attacks on real-world, unmodified
applications without false positives.